[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[BOARD] Recent CVE activities



All,

Here is a short writeup on some of our recent and near-term CVE
activities.

1) By next week, we will propose about 200 new candidates for issues
   that were discovered between July and December 2001.  We are trying
   to get to the point where we produce candidates within 1 or 2 weeks
   of the initial announcement.  More software vendors are reserving
   CVE candidates from us on a regular basis (Red Hat is a prominent
   example), which should also help with timeliness for the most
   critical issues.

2) A new CVE version will be created in January.  It is likely that
   over 400 new entries will be added.

3) While the progress may seem slow to outsiders, MITRE's CVE content
   team has made significant strides in the past 6 months.  They are
   now doing most of the refinement of raw submissions into CVE
   candidates, and I am moving more into an editorial role.  Current
   team members include Jeff Taylor, Barbara Pease, Andy Bair, Tiffany
   Bergeron, Jean-Paul Otin, and Franklin Haskell.  I'd like to thank
   all of them for their contributions.

4) It is likely that we won't be able to identify and resolve all the
   issues with respect to establishing and using Candidate Numbering
   Authorities (CNA's) on a regular basis.  The biggest issue involves
   how all involved parties should share candidate numbers to avoid
   releasing different candidates for the same issue.  I am basically
   at the point of defining a short set of guidelines for how
   different parties should interact, establishing the CNA's, and
   ironing out the kinks as we go along.

5) As you may already know, I have been working with Chris Wysopal of
   @stake to develop best current practices documents for
   vulnerability disclosure.  Disclosure issues obviously affect CVE
   content in a number of ways, including the amount of details for
   distinguishing between vulnerabilities, the risk of introducing
   duplicate candidates, and vendor acknowledgement (which is probably
   the biggest factor in the Board's acceptance of CVE candidates).
   Also, as discussed in previous meetings, Board members have
   suggested that CNA's should only provide candidate numbers to
   researchers who follow "responsible disclosure practices."  The
   work I'm doing in defining responsible disclosure will serve as the
   basis for a "CNA disclosure policy."

6) We are adding or recommending several new members for the Editorial
   Board, many of which will be helping out with the Common Intrusion
   Event List (CIEL) effort.  We still need to add a few more key
   people to the working group before activities can start.
   Additional recommendations will be sent to the private Board
   mailing list in the next week or two.  With the minimum 2-week
   review period by the Board, CIEL activities will probably begin in
   February.

7) We will also be "beta-testing" our CVE compatibility requirements
   evaluation process.  If you have a product that you believe will
   already meet the compatibility requirements, and you're interested
   in the "beta" program, then please notify me and Bob Martin
   (ramartin@mitre.org).


- Steve

Page Last Updated or Reviewed: May 22, 2007